Pete Chown <[EMAIL PROTECTED]> writes:
> Eric Rescorla wrote:
>
> > SHA-1 is only 2^80 strong against birthday attack. If you
> > go around using SHA-1 or worse yet MD5 to sign stuff then
> > using a private key of size > 1024 is only of limited value.
>
> If you want to forge a signature, you will probably not be able to use
> the birthday attack. You need to find something whose hash is
> identical to one already signed, not just a random collision.
That depends on your threat model. If you're trying to get
someone who would ordinarily sign a document for you (like a contract)
then you just generate two versions, one signable and one
dangerous and get them to sign the signable one. It's fairly easy
to use birthday attack to generate two versions that hash collide
by manipulating spaces, line breaks etc.
-Ekr
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
